The present disclosure relates to identification and analysis of data transferred via a communications network, and more particularly to identification, detection and analysis of harmful or malicious software or data.
As computer network technology and infra structure have improved over the years, the amount and speed of data transferred between computer network devices has drastically increased. Among this transferred data is a class of data referred to as malware. Malware, or malicious software, is a computer program designed to infiltrate a computing device without the device owner's knowledge or consent. Malware has come to refer to a generic class of software including a variety of hostile, intrusive or otherwise annoying forms of software or computer code. Malware includes various viruses, worms, trojan horses (or trojans), rootkits, spyware, adware and any other unwanted malicious software. Various types of malware may collect personal information related to a user and send this information back to an information collecting device. Other types of malware may cause a computing device to function poorly, or to not function at all.
One attempt at identifying and removing malware is antivirus software. Conventional antivirus software uses search sequences and rules-based analysis to look for known malware. However, malware code may be frequently changed by the malware program author such that search sequences and rides-based analysis may fail to detect updated programs.
Newer antivirus software uses more advanced and sophisticated identification techniques, especially when trying to detect new and unknown malware programs. Existing malware programs may share similar patterns of commands that, regardless of the actually coding used to implement the malware, may be identified by the antivirus software. However, such methods are not very useful for detecting new and unknown viruses having no previously detected pattern of operation.
To address this problem, recently-developed antivirus software detection methods evaluate suspicious program behavior. If antivirus software finds major differences from what may be called “good manners,” an antivirus software application may assume that it has detected a new virus or malware program. These methods may be referred to using the overall term of “heuristic” malware detection methods. Typically, a heuristic analysis means that the examined program is being launched in some isolated and safe environment, and the method investigates its performance. The method tries to collect as much information as possible and evaluate whether an examined program's performance can be considered legitimate, or whether the program strives for something unusual or dangerous. If suspicious activity is detected, the program may be categorized as suspicious or even harmful.
Heuristic analysis can provide several advantages. It works regardless of whether the examined program have been examined in the past. It can also recognize new viruses and trojans. However, there are some disadvantages as well. These include:
1) Lack of accuracy. No heuristic method can be considered fully accurate. The border between correct and harmful software behavior can be foggy. Therefore, false alarms on clean programs, as well as missed detections of real malware, can be common.
2) Time demands. It is very time demanding to launch a program in a safe environment where one can be sure that no harm will result.
3) Countermeasures. Malware authors use number of tricks to prevent this type of analysis. It is extremely difficult to avoid all traps and intrigues.